System and Method for Supporting Multiple Identities for a Secure Identity Device

ABSTRACT

A multiple-identity secure device (MISD) persistently stores a single identification code (a “seed identity”). The seed identity need not be a network address, and may be stored in an integral memory of the device, or on an interchangeable card received in a physical interface of the MISD. The MISD is provided with a transformation engine, in hardware or software form, that is subsequently used to generate one or more unique identities (e.g., network addresses) from the stored seed identity using predefined logic. The generated identities may be dynamically generated, e.g., in real-time as needed after deployment of a device into possession of a subscriber/customer/user, etc., or may be securely stored in the MISD for subsequent retrieval. The transformation engine may generate a unique identity in accordance with an addressing scheme identified as a default setting, a global/network setting, or as determined from a received data transmission.

CROSS-REFERENCE TO RELATED APPLICATION

This application is based on and claims priority to U.S. ProvisionalApplication No. 61/106,338, filed Oct. 17, 2008, the entire disclosureof which is hereby incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates generally to secure communications betweendevices in an information network. More particularly, the presentinvention relates to a system and method for supporting multipleidentities for a secure identity device by dynamic generation of deviceidentities from a persistently-stored seed identity.

DISCUSSION OF THE RELATED ART

An “information network” refers to a collection of elements or devices,collectively “devices”, having a transport mechanism for exchanginginformation or content between the devices. Such networks may have anysuitable architecture, including, for example, client-serverarchitecture, 3-tier architecture, N-tier architecture, distributedobjects, loose coupling, or tight coupling.

One example of an information network is a subscriber-based cable orsatellite system, such as the exemplary system shown in FIG. 1. Thisexemplary information network is typical of many different types ofinformation networks in that it involves data transmissions betweendevices in the network, and that it is often advantageous or necessarythat a particular device be uniquely identifiable and/or addressable onthe network, and/or that transmissions be made in a secure manner withspecific devices.

By way of further example, with reference to FIG. 1, the exemplarysubscriber-based television system, that propagates content (e.g.,entertainment and commercials information such as movies, sports,television programming and the like), information (e.g., video ondemand, Interactive Program Guide (IPG) services and the like) andapplications (e.g., billing and other services) to client devices or settop boxes associated with subscribers/users.

“Set top box” or STB refers to a device that connects to a monitor andan external source of signal, converting the signal into content fordisplay/transmission over the monitor. The signal source might be anEthernet cable, a satellite dish, a coaxial cable, a fiber optic cable,a telephone line (including DSL connections), Broadband over Power Line,or even an ordinary antenna. The STB may have several differentembodiments. For example, it may be a special digital STB for deliveringdigital content on TV sets that do not have a built in digital tuner.The STB may also descramble premium channels. An STB may be a cableconverter box to receive digital cable TV channels and convert them toanalog for non-digital TVs. In the case of direct broadcast satellite(mini-dish) systems such as SES Astra, Dish Network, or DirecTV, the STBis an integrated receiver/decoder (or IRD). In internet packet (IP) TVnetworks, the STB is a small computer providing two-way transmissions onan IP network, and decoding the video streaming media which eliminatesthe need for any coaxial cabling. The STB may be a discrete unit or itsfunctionality may be incorporated into other components of the user'ssystem such as the monitor, TV, DVR, residential gateway, or personalcomputer. For example, the STB may be a portable, modular unit (i.e., apersonal STB) or it may be integrated into a stationary TV system. TheSTB may contain one or more digital processors or may use the processingcapabilities of the other system components (e.g., TV, DVR, personalcomputer). Additionally, rather than having its own tuner, the STB mayuse the tuner of a television (or DVR).

A “digital video recorder” (DVR) refers to a device or system thatrecords video in a digital format to a digital storage medium such as adisk drive or solid state memory for future playback. DVRs havedifferent configurations. For example, a DVR may be a stand-alone,modular unit (such as those sold by TiVo), it may be a portable personaldevice, or it may be incorporated into other audiovisual components suchas a set-top box or the TV itself. It may even be software for apersonal computer (PC) that enables the PC to capture video for playbackusing the digital storage medium of the PC.

The system of FIG. 1 transmits various data signals constituting variouscontent, which signals may be scrambled, encrypted or otherwise secured,to the different STBs 142 in the system. Operation and interconnectionof the similar devices in a similar system are described in detail inU.S. Pat. No. 5,787,172, the entire disclosure of which is herebyincorporated herein by reference. The term “transmitted” or “transmits”refers broadly to sending a signal from a transmitting device to areceiving device. The signal may be transmitted wirelessly or over asolid medium such as wire or fiber.

The exemplary system 100 of FIG. 1 comprises a head-end 120, a network130 and a plurality of set-top boxes STBs 140 ₁ through 140 _(N)(collectively STBs 140), as is typical of such systems. The head-end 120typically also comprises an application server 122 and operates in partto transmit information to, and receive information from, the STBs 140via network 130. The head-end 120 also comprises a server 110 whichreceives data from a data provider 106 through a network 107 such as,for example, the Internet. The server 110 may be accessed using anoperator GUI 112 for adding and monitoring data.

The head-end 120 is associated with a neighborhood of STBs 140 _(1-N).The head-end 120 communicates with the STBs 140 within its neighborhoodvia a downstream transmissions channel (DOWN) and an upstreamtransmissions channel (UP). These channels are supported by a networktopology 130, such as a hybrid fiber-coax cable television distributionsystem, a satellite distribution system (e.g., using a telephone networkor reverse satellite link for upstream transmissions) and the like.

The head-end 120 interacts with the STBs 140 to enable the delivery ofcontent, etc. provided by the server, as well as to return STB messages,etc. to the server 120. Each STB is typically associated with arespective display device 150, such as a television or other videodisplay device, and a user input device 160 such as a remote control,etc.

The STBs 140 operate to receive signal transmissions from the head-ends120 via the network 130 using the downstream transmissions channel DOWN(or an out-of-band channel). The transmissions may be broadcast,multicast/narrowcast, or unicast. Broadcasting refers to thetransmission of content to an audience at large. The audience may be thegeneral public, or a sub-audience. Switched digital video is a type ofbroadcast that is initiated in response to a client request and isterminated when no more clients are tuned to it. Multicasting refers tothe simultaneous transmission of content to a plurality of specific andknown destinations or addresses in a network or between networks.Multicast is often used for streaming media and Internet televisionapplications, Ethernet multicast addressing, ATM point-to-multipoint VCsand Infiniband multicast. Unicasting refers to the transmission of asignal to a single destination or address in a network. Unicast is used,for example, in Video-On-Demand applications.

To enable such transmissions to the STBs, it is important that each STBis uniquely identifiable within the network. By way of example, theidentity of a device must be reliably determinable and authenticatableto preserve the integrity of the information network, e.g. to validatedata intended for receipt by a specific device in a data distributionsystem, prevent digital piracy, theft of content, or unauthorized accessto content in a digital data distribution system. Systems and methods ofsuch validation are well-known in the art and thus are not described indetail herein.

To ensure that each STB is uniquely identifiable, each STB is assigned aunique network address that permits the head-end to communicate with theSTB to, for example, establish in the STB an authorization code thatdetermines which pay programs that STB will be able to receive. In manysystems, the STB is also able to communicate with the head-end in atwo-way transmission link, so as to permit each STB to be interrogatedor addressed from the head-end. Such two-way transmission also requiresthat each STB be assigned a unique network address.

In order to ensure the uniqueness and authenticity of the devices, it iscommon practice to encode each device's network address (e.g. in bits)in a memory of the device at a time of manufacture of the device or oneof its components. The address/memory is secured, in part, by renderingthe associated memory location read-only after initial programming.Furthermore, the address value itself is typically made available toapplication level software via a secure API to prevent “hacking” or“spoofing” of the identity. By way of example, the STB address isconventionally stored in ROM or one-time-programming (OTP) memory duringmanufacture of the device. Alternatively, the address may be stored in aprogrammable read-only-memory (PROM) at or prior to the time the STB isinstalled at a subscriber's home. This is done in the field by aprofessional installer, using a PROM programmer. The installer typicallyprograms the PROM with the preassigned address for that STB and installsthe PROM into a socket provided for the PROM in the subscriber's STB.

These procedures are typically time-consuming, costly and inefficient,and must be repeated in the field each time a new STB is installed at asubscriber's home.

Further, as information networks have evolved, it has become apparentthat there is sometimes a need for a single device, such as a wirelesstelephone/PDA handset or DVB-Simulcrypt-capable device, to present oneof several different identities over its lifetime. Typically, this isdone by configuring the device with a physical interface configured toaccept a secure identity card, such as a SIM module or SmartCard, andallowing exchange of the identity by physically replacing one secureidentity card with another. However, the configuration of devices withsuch physical interfaces has been found to be undesirable as theyprovide an interface that can be used by pirates, hackers, etc. to gainunauthorized access to secure information networks.

Further still, there is sometimes a need for a single device to present,essentially concurrently, several different identities, e.g. to supporta conditional access system in which different permissions, rights,entitlement, content, etc. are provided according to a profile for eachidentity. In circumstances in which an interchangeable card is notintended to be employed, a single device may be initially programmed toinclude multiple unique identities. However, programming multiple,unique identities is disadvantageous in that it requires incrementallymore space in the secure memory area of the device. This space is oftenlimited and adding space is expensive, as it often requires newrevisions of the device or system-on-a-chip elements of the device.

What is needed is a system and method that addresses the disadvantagesof physical interface and multiple identity programming discussed above,and that is capable of providing multiple identities in the event that aphysical interface will not be included in a device, and in the eventthat the intended identity needed for deployment is not yet known attime of manufacture.

SUMMARY OF THE INVENTION

The present invention provides a multiple-identity secure device havinga single persistently-stored identification code (a “seed identity”),and a transformation engine that is subsequently used to generate one ormore unique identities (e.g., network addresses) for the device from thestored seed identity. The seed identity is an identification code, whichmay be unique, may be a network address, and may be a code other than anetwork address, such as a serial number or other identification code.The transformation engine includes computer-readable instructionsexecutable by a microprocessor to receive the seed identity as input,and to generate as output at least one unique identity as a function ofpredefined logic. The transformation engine may receive inputidentifying and addressing scheme, and may be configured tocorrespondingly generate unique identity that is compliant with theidentified addressing scheme. The predefined logic may includeconditional logic requiring generation of a unique identity by a firstmethod for a first condition and by a second method for a secondcondition.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will now be described by way of example withreference to the following drawings in which:

FIG. 1 is a block diagram of an exemplary prior art information networkinto which multiple-identity secure devices in accordance with thepresent invention may be deployed;

FIG. 2 is a block diagram of an exemplary multiple-identity securedevice in accordance with the present invention;

FIG. 3 is a flow diagram of an exemplary method for supporting multipleidentities for a secure identity device in accordance with the presentinvention; and

FIG. 4 is a flow diagram of an exemplary method for processing datausing a multiple-identity secure device in accordance with the presentinvention.

DETAILED DESCRIPTION

In contrast to conventional secure identity devices, each of whichstores a single network address for use to direct data transmissions toeach specific device, the present invention provides a multiple-identitysecure device having a single persistently-stored identification code (a“seed identity”), and a transformation engine that is subsequently usedto generate, in an automated fashion, one or more unique identities(e.g., network addresses) for the device from the stored seed identity.

The seed identity is an identification code. In one embodiment, the seedidentity is unique among identification devices within a network. Unlikeconventional storage of network addresses, the seed identity stored inaccordance with the present invention may be something other than anetwork address. Further, it is accessed by a transformation engine, andmay be securely stored. Although the seed identity may be a networkaddress, it may also be another code completely unrelated to a networkaddress, such as a serial number or other alphanumeric string. By way ofexample, the seed identity may comprise a simple numeric sequence, suchas a 32-bit number, or it may be more sophisticated, such as a MACaddress.

The transformation engine generates identities as a function of the seedidentity, using predefined logic. The generated identities may bedynamically generated, e.g., in real-time as needed, after deployment ofa device into the field, e.g., into the possession of asubscriber/customer/user. The transformation engine includescomputer-readable instructions executable by a microprocessor to receivethe seed identity as input, and to generate as output at least oneunique identity as a function of predefined logic accessible to thetransformation engine 220. The transformation engine may be implementedas firmware in hardware or as software stored in memory. The predefinedlogic may be incorporated into the transformation engine, e.g.,hard-coded into the transformation engine software, and may include anysuitable logic for generating a unique identity, e.g., unique networkaddress, from the seed identity. By way of example, the predefined logicmay require generation of a unique identity by adding an offset, bitmask, or bit shift to the seed identity. By way of further example, thepredefined logic may include conditional logic requiring generation of aunique identity by a first method for a first specified addressingscheme, and by a second method for a second specified addressing scheme.

Thus, the present invention provides a system and method that addressesthe drawbacks of physical interface and multiple identity programmingdiscussed above, and yet is capable of providing and supporting multipleidentities in the event that a physical interface will not be includedin a device and that the intended identity needed for deployment is notyet known at time of manufacture.

Although the prior art discussion above relates to a subscriber-basedtelevision system, one of skill in the art will understand that thepresent disclosure is applicable to a wide variety of informationnetworks that require each device to have a secure identity. Forexample, the present invention can be employed in a subscriber radiosystem, a wireless voice or data network. Examples of secure identitydevices include an STB in a cable or satellite television system, awireless telephone handset or personal digital assistant (PDA) devicesin a telecommunications network, a portable media player storingprotected content, or a removable storage device for securely storing PCdata, such as a secure RAM card.

In addition, one of skill in the art will understand that the presentdisclosure is applicable to other systems for which communication is notthe primary purpose. For example, the present invention can also beapplied in an alarm system network involving transmission betweendifferent elements of the system. The present invention should not beconstrued to limit the scope of the invention to an “informationnetwork,” where the primary objective of the system is to transmitinformation. The present invention can apply to systems in which thetransmission of information is only a minor, or even insignificant,aspect of the overall system. In fact, the present invention can beadapted for use in any system involving secure identity devices.

As used herein, an identity, memory, etc. is considered “secure” if anencryption/decryption system is used for which determination ofencrypted information is computationally or economically infeasiblewithout knowledge of specific decryption information and where thedecryption information has not been acquired by outsiders, or if asignature/verification system is used for which unauthorized insertionor modification of signed information is computationally or economicallyinfeasible without knowledge of specific signature information and wherethe signature information has not been acquired by outsiders, or if datais otherwise protected by security measures. In one embodiment, anencryption/decryption system is used for which determination ofencrypted information is computationally infeasible without knowledge ofspecific decryption information, and a signature/verification system isused for which unauthorized insertion or modification of signedinformation is computationally infeasible without knowledge of specificsignature information.

FIG. 2 is a high level block diagram of an exemplary multiple-identitysecure device (MISD) 200. Each MISD includes conventional hardware andsoftware typical of commercially-available secure identity devices,which may include a variety of client devices and/or network devices.

The exemplary MISD be a specially-configured set top box (STB) for usein the exemplary network of FIG. 1, in accordance with the presentinvention. Alternatively, the MISD may be configured as a wirelesstelephone handset, a smartphone, a PDA, a portable media player, aremovable storage device, or another device. The discussion belowdiscusses the MISD 200 in the context of an STB for illustrativepurposes only.

Referring now to FIG. 2, the MISD 200 includes a microprocessor 202 anda bus 204 employed to connect and enable communication between themicroprocessor 202 and the components of the MISD in accordance withknown techniques. The MISD typically includes at least a user interfaceadapter 206, which connects the microprocessor 202 via the bus 204 toone or more interface devices, such as a keypad 208. The bus 204 alsoconnects a display device 210, such as an external television, LCDscreen or monitor, to the microprocessor 202 via a display adapter 212.The bus 204 also connects the microprocessor 202 to non-volatile memory216, which can include a hard drive, diskette drive, tape drive, randomaccess memory (RAM), etc.

In accordance with the present invention, the MISD stores a seedidentity 218 in memory. In this example, the MISD stores the seedidentity 218 in a read-only memory (ROM) 214 operatively connected tothe microprocessor 202. The term ROM is intended herein to be read in abroad, and not limiting, fashion, and includes conventional ROM, PROMand one-time programmable (OTP) memory. For example, the MISD may storethe seed identity in a secure storage area of the device. The inclusionof such secure storage areas in such chips and devices, and storing datain such secure storage areas, are well known in the art. In accordancewith conventional manufacturing techniques, the ROM is written to at thetime of manufactures. In accordance with the present invention, a seedidentity is assigned and stored in the ROM at the time of manufacture.The seed identity may be stored in the ROM in a conventional fashion.

In one embodiment, each MISD is provided with a unique seed identity, sothat no two devices are assigned the same seed identity. In such anembodiment, a single predefined logic may be used to generate uniqueidentities from each respective seed identity.

Alternatively, some secure identity secure cards, and thus some devices,may be provided with identical seed identities. In such a case,different predefined logic may be used by the transformation engine togenerate different unique identities for the devices from the same seedidentity.

As discussed above, the MISD further includes a non-volatile storagememory operatively 216 connected to the microprocessor 202. The MISD maystore various microprocessor-executable software applications. Forexample, in the context of an STB, the MISD may store applicationprograms 142 ₁-142 _(x) (application programs 142), which may includeany of the applications used within the context of an STB 140, such asan interactive program guide (IPG) application, a VOD selection/billingapplication and the like.

In accordance with the present invention, the MISD further includes atransformation engine 220. The transformation engine 220 includescomputer-readable instructions executable by the microprocessor 202 toreceive the seed identity 218 as input, and to generate as output atleast one unique identity 222, 224 as a function of predefined logicaccessible to the transformation engine 220. The unique identity 222,224 is a code uniquely identifying the MISD, such as a network address.

In this exemplary embodiment, the transformation engine 220 isimplemented as computer software stored in the memory 216.Alternatively, the transformation engine 220 may be implemented asfirmware in hardware. In one embodiment, the software program is storedand/or executed in secure code space 226 within the device, such securecode space being well known in the art. The predefined logic may beincorporated into the transformation engine, e.g., hard-coded into thetransformation engine software.

The predefined logic may include any suitable logic for generating aunique identity, e.g., unique network address, from the seed identity.By way of example, the predefined logic and seed identities are selectedsuch that all generated identities across all devices deployed for usewithin a network are unique identities. By way of example, thepredefined logic may require generation of a unique identity by addingan offset, e.g., 0x8000, to the seed identity. Alternatively, by way ofexample, the predefined logic may require generation of a uniqueidentity by applying a predetermined bit mask or bit shift to the seedidentity.

By way of further example, the predefined logic may include conditionallogic requiring generation of a unique identity by a first method for afirst specified addressing scheme, and by a second method for a secondspecified addressing scheme. For example, such conditional logic mayrequire generation of a unique identity by adding a first offset (e.g.,0x8000) if a first addressing scheme is received as input, and a secondoffset (e.g., 0x4000) if a second addressing scheme is received asinput. It will be appreciated that the fundamental methodologies forgenerating a unique identity may be entirely different for eachaddressing scheme (e.g., requiring applying an offset for a firstaddressing scheme and requiring applying a bit mask for a secondaddressing scheme).

In one embodiment, the transformation engine 220 is capable of receivingfurther input representing a desired addressing scheme with which thegenerated unique identity must comply. For example, this input maydesignate a specific addressing scheme and the transformation engine maybe capable of generating a single identity in each scheme from the seedidentity. In a preferred embodiment, the transformation engine 220 isconfigured to be capable of generating a plurality of unique identitiesin at least one addressing scheme from the seed identity. By way ofexample, the specified addressing scheme may be a conditional accessscheme, such as Digicipher, PowerKEY, or Nagra Aladdin, or a moregeneral addressing scheme, such as a MAC address.

In other embodiments of the MISD, such as a wireless telephone handset,smartphone, PDA, personal computer, etc., the MISD may further include amouse, keyboard and/or other interface devices, such as a touchsensitive screen, digitized entry pad, etc., connected to the userinterface adapter, and may further include an integral display device.It will be understood by those skilled in the art that the MISD mayfurther include various other components, such as an operating systemstored in the memory, various conventional circuitry, various I/O portsand devices, etc., which are well-known in the art. Further, althoughthe MISD is generally depicted as a general purpose computer that isprogrammed to perform various control functions in accordance with thepresent invention, the invention can be implemented in hardware as, forexample, an application specific integrated circuit (ASIC) or fieldprogrammable gate array (FPGA). As such, the process steps describedherein are intended to be broadly interpreted as being equivalentlyperformed by software, hardware or a combination thereof.

Optionally, the ROM may be part of a secure identity card that isinterchangeably connectable to a network device via a suitable physicalinterface, such as a conventional I/O port. By way of example, adiscrete secure identity card may be one of a CableCARD, a PCMCIA card,a SIM card and a Smart Card. In such an embodiment, the MISD includes adata communication physical interface port capable of interchangeablyreceiving the cards. In a preferred embodiment, the ROM is an integralpart of the MISD and is not configured to be interchangeable. It will beappreciated that the secure identity card may be manufactured to includethe seed identity apart from any manufacture of the MISD, oralternatively, may be manufactured to include the seed identity as partof the MISD device itself. Further, it will be appreciated that thedevice may be provided with the transformation engine and predefinedlogic during manufacture of the device, or after manufacture anddeployment of the device within a network. The device and/or secureidentity cards may be distributed to end users/consumers and deployedwithin a network in any suitable manner.

In the context of FIG. 1, the MISDs could be deployed as STBs connectedvia an information network to, in this example, a head-end of a cabletelevision network. Each of the MISDs is configured to receive datatransmissions via the network. The head-end includes, as isconventional, a plurality of content sources and prepares digital datatransmissions directed to specific receiving devices, e.g. STBs. Thedigital data transmissions are directed to a specific receiving devicein that it is prepared include recipient identity data corresponding tothe intended recipient device's unique identity, e.g., network addressof a specific receiving device. Methods and systems for addressingdigital data transmissions intended for specific receiving devices arewell-known in the art.

FIG. 3 is a flow diagram illustrating an exemplary method 250 forsupporting multiple identities for a secure identity device. Referringnow to FIG. 3, the method involves preparing an MISD, which includesstoring a seed identity in a secure memory, such as ROM, of an MISD, asshown at step 252 of FIG. 3. For example, this may involve manufactureof an STB, a wireless telephone, a PDA, a computer, etc. in asubstantially conventional manner, but to include the seed identity.Alternatively, this may involve manufacture of a secure identity card ina substantially conventional manner, but to include a seed identity, andlater operatively installing the secure identity card in a physicalinterface of the MISD.

The method further includes providing a transformation engine in theMISD, as shown at step 254. For example, this may be performed duringmanufacture of the device by storing a computer program in thenon-volatile storage memory of the device. Alternatively, this may beperformed post-manufacture by copying software to the device, or bypost-installation downloading of software to the device via a network.

After the MISD has been provided, the transformation engine is run, e.g.the software is executed, to generate a unique device identity as afunction of the stored seed identity, as shown at step 256. By way ofexample, this may be performed responsive to power-up of the MISD,responsive to connection of the MISD to a network, responsive to receiptof a command via a keypad, etc. of the MISD, responsive to receipt of acommand via the network, or responsive to receipt of a data transmissionvia the network, as part of a verification process to ensure that thedata transmission is intended for the device, etc.

In this exemplary embodiment, the generated device identity is stored insecure memory of the device, e.g., in RAM, for subsequent use, as shownat step 258. In an alternative embodiment, the generated identity maynot be stored for subsequent retrieval, but rather may be generated forimmediate use and then deleted.

In this exemplary embodiment, it is next determined if another identityis required, based on an applicable security model and/or addressingscheme that is determined to be used within an information network. Thisdetermination may be signaled to the MISD by the network, for example,in an MPEG CAT (Conditional Access Table). If not, then the method ends,as shown at steps 260 and 262. If so, the transformation engine 220 maybe rerun to generate a unique identity, as shown at steps 260 and 256.It should be noted that in certain instances, that engine may be run andrerun to repeatedly generate a certain single unique identity, e.g. uponreceipt of each transmission, for verification purposes. Alternatively,the engine may be rerun to generate multiple different identities, whichmay be used concurrently, or successively. Alternatively, the engine maybe rerun to generate a new identity in response to a command via thenetwork, e.g. to implement a new identity-generation logic, to create anew identity in the event of discontinuance of service, to create a newidentity in the event of changes in the network, to create a newidentity in the event of unauthorized access, for example.

FIG. 4 is a flow diagram of an exemplary method 270 for processing datausing an MISD in accordance with the present invention. Referring now toFIG. 4, the method begins with deploying an MISD for use in the network,as shown at step 272 in FIG. 4. For example, this may involvedistributing the MISD, connecting the MISD to the network, configuringthe MISD for use in the network, etc.

Next, the method involves preparing a data transmission for securedelivery to a specific network device having a specific identity, asshown at step 274 in FIG. 4. Exemplary data transmissions include apacketized Entitlement Management Message, in the context of MPEG, andmay relate to transmissions of voice, video and/or data content. Methodsand technology for doing so are well-known in the art and therefore notdescribed in detail herein. Next, the method involves transmitting datato one or more network devices via an information network, as shown atstep 276. For example, this may be performed by the head-end in asubscriber television network, or by a wireless voice/data carrier in awireless voice/data network, or by a digital content provider in adigital information network. It should be noted that a data transmissioncan be addressed to a particular MISD when the MISD's seed identity andthe transformation logic are known to the head-end, etc. of the network,because the MISD's unique ID will be/has been generated in a predictablemanner known to the head-end, etc.

Next, the MISD receives the transmitted data, as shown at step 278.Further, the MISD extracts recipient identity data from the transmitteddata, as shown at step 280. This may be performed by applicationsoftware stored in the memory 216 of the MISD 200 and executable by themicroprocessor 202. Examples of such application software includemessage stream processors, conditional access kernels, and set-topclient middleware, and are well-known in the art.

In certain embodiments, the application software examines the recipientidentity data and determines which of several known addressing schemesare being used to direct the data transmission to the recipient. In suchembodiments, the application software provides an indication of theapplication addressing scheme as input to the transformation engine, andthe transformation engine generates a unique identity compliant with theidentified addressing scheme.

The MISD then obtains a generated identity, generated by thetransformation engine from the seed identity, as shown at step 282. Inone embodiment, this involves referencing a secure storage area 216 ofthe MISD and retrieving an identity 222 previously-generated by thetransformation engine 220. In a preferred embodiment, this involvescausing the transformation engine 220 to run to generate a uniqueidentity in response to receipt of a data transmission at the MISD.

In embodiments in which the MISD determines the addressing scheme usedby the data transmission, the MISD retrieves an identity conforming tothat addressing scheme from the memory of the MISD, or alternatively,provides the identity of that addressing scheme as an input to thetransformation engine for use to generate an identity compliant withthat addressing scheme.

The MISD then compares the generated identity to the recipient identitydata to determine whether they correspond. For example, correspondencemay be found when there is an exact match of all or a portion of therecipient identity data to the generated unique identity, as known inthe art. In this manner, each MISD may determine whether the receiveddata transmission is intended for that particular MISD, as shown atsteps 282 and 284. This may be performed by the application software, asis conventional in secure identity systems.

If it is determined at step 286 that the generated identity does notcorrespond to the recipient identity data specified by the datatransmission, then the received data transmission was not intended foruse by that particular MISD, and the received data transmission isdiscarded, e.g., deleted or ignored, and the method ends, as shown atsteps 288 and 290.

If it is determined at step 286 that the generated identity doescorrespond to the recipient identity data specified by the datatransmission, then the received data transmission was intended for useby that particular MISD, and the MISD processes the received datatransmission in a conventional manner and the method ends, as shown atsteps 290 and 292. For example, such processing may include parsing themessage to extract specific command and control parameters for a clientdevice, such as instructions to activate or deactivate the device, toreinitialize the device, or to cause a message to be displayed via adisplay device, such as a television, CRT, LCD or other display screenassociated with the MISD.

The invention may be implemented by a computer program product whereincomputer instructions, when processed by a computer, adapt the operationof the computer such that the methods and/or techniques of the presentinvention are invoked or otherwise provided. Instructions for invokingthe inventive methods may be stored in fixed or removable media,transmitted via a data stream in a broadcast media or other signalbearing medium, and/or stored within a working memory within a computingdevice operating according to the instructions. Thus, the presentinvention also provides computer readable media storing computerreadable code for carrying out the method steps identified above. Thecomputer readable media stores code for carrying out subprocesses forcarrying out the methods described above.

While there have been described herein the principles of the invention,it is to be understood by those skilled in the art that this descriptionis made only by way of example and not as a limitation to the scope ofthe invention. Accordingly, it is intended by the appended claims, tocover all modifications of the invention which fall within the truespirit and scope of the invention.

1. A computer program product comprising a computer-readable mediumstoring computer-readable instructions configured to cause a computersystem to: receive as input a seed identity comprising an identificationcode; generate as output at least one unique identity as a function ofpredefined logic said unique identity being a unique network address. 2.The computer program produce of claim 1, further comprising acomputer-readable medium storing computer-readable instructionsconfigured to cause a computer system to: extract recipient identitydata from a received data transmission; compare the unique identity tothe recipient identity data; discard the data transmission if the uniqueidentity does not correspond to the recipient identity data; and processthe data transmission if the unique identity corresponds to therecipient identity data.
 3. The computer program produce of claim 2,further comprising a computer-readable medium storing computer-readableinstructions configured to cause a computer system to: extract recipientidentity data from a received data transmission; determine an addressingscheme with which the recipient identity data is compliant; generate theunique identity in compliance with the addressing scheme.
 4. Amultiple-identity secure device comprising: a microprocessor; a memoryoperatively connected to the microprocessor, the memory storing: a seedidentity, said seed identity being an identification code; and atransformation engine comprising instructions executable by saidmicroprocessor to: receive as input said seed identity; and generate asoutput at least one unique identity as a function of predefined logicaccessible to said transformation engine, said unique identity being acode uniquely identifying said multiple-identity secure device.
 5. Themultiple-identity secure device of claim 4, wherein said memorycomprises: a read-only memory (ROM) operatively connected to saidmicroprocessor, said ROM securely storing said seed identity; and anon-volatile storage memory operatively connected to saidmicroprocessor, said non-volatile storage memory storing saidtransformation engine.
 6. The multiple-identity secure device of claim4, further comprising: a data communication port capable ofinterchangeably receiving secure identity cards; a secure identity cardreceived in said data communication port, said secure identity cardstoring said seed identity.
 7. The multiple-identity secure device ofclaim 6, wherein said secure identity card comprises one of a CableCARD,a PCMCIA card, a SIM card and a Smart Card.
 8. The multiple-identitysecure device of claim 5, wherein said ROM comprises one of aprogrammable read only memory (PROM) and a one-time-programmable (OTP)memory.
 9. The multiple-identity secure device of claim 5, furthercomprising: application software stored in said non-volatile storagememory, said application software comprising computer-readableinstructions executable by said microprocessor to: extract a recipientidentity from a data transmission received by said multiple identitysecure device; compare said recipient identity to said unique identitygenerated by said transformation engine; discard said data transmissionif said recipient identity does not match said unique identity; andprocess said data transmission if said recipient identity matches saidunique identity.
 10. The multiple-identity secure device of claim 9,wherein said application software further comprises computer-readableinstructions executable by said microprocessor to: identify anaddressing scheme with which said recipient identity is compliant; andretrieve from memory of said memory a stored unique identity compliantwith said addressing scheme.
 11. The multiple-identity secure device ofclaim 9, wherein said application software further comprisescomputer-readable instructions executable by said microprocessor to:cause said transformation engine to generate said unique identity inresponse to receipt of said data transmission.
 12. The multiple-identitysecure device of claim 11, wherein said application software furthercomprises computer-readable instructions executable by saidmicroprocessor to: identify an addressing scheme with which saidrecipient identity is compliant; provide input identifying saidaddressing scheme to said transformation engine, said transformationengine being configured to generate said unique identity in compliancewith said addressing scheme in response to receipt of said input. 13.The multiple-identity secure device of claim 4, wherein saidtransformation further comprises computer-readable instructionsexecutable by said microprocessor to: store said unique identity in asecure area of said memory.
 14. The multiple-identity secure device ofclaim 4, wherein said identification code is assigned to be unique amonga plurality of assigned identification codes.
 15. The multiple-identitysecure device of claim 14, wherein said identification code comprises anetwork address.
 16. The multiple-identity secure device of claim 4,wherein said predefined logic used to generate said unique identityrequires application of a predefined bit mask to said seed identity. 17.The multiple-identity secure device of claim 4, wherein said predefinedlogic used to generate said unique identity requires adding of apredefined offset to the seed identity.
 18. The multiple-identity securedevice of claim 4, wherein said predefined logic used to generate saidunique identity includes conditional logic requiring generation of saidunique identity by a first method if a first condition exists, andgeneration of said unique identity by a second method if a secondcondition exists.
 19. A method for supporting multiple identities for asecure identity device, the method comprising: providing atransformation engine in the network device, the transformation enginecomprising computer-readable instructions executable by themicroprocessor to: receive as input the seed identity from the securememory; and generate as output at least one unique identity as afunction of predefined logic accessible to the transformation engine,the unique identity being a code uniquely identifying the networkdevice; and causing the transformation engine to run to generate aunique identity as a function of the stored seed identity.
 20. Themethod of claim 19, further comprising: causing the transformationengine to rerun generate an additional unique identity as a function ofthe stored seed identity, the additional unique identity being differentfrom the unique identity.
 21. The method of claim 19, furthercomprising: causing the transformation engine to store the uniqueidentity in memory of the network device.
 22. The method of claim 19,further comprising: storing a seed identity in a secure memory of anetwork device having a microprocessor.
 23. The method of claim 22,wherein storing the seed identity in the secure memory of a networkdevice comprises: storing the seed identity in ROM of a secure device.24. The method of claim 22, wherein storing the seed identity in thesecure memory of a network device comprises: storing the seed identityin a secure identity card having a secure memory; and installing thesecure identity card in a physical interface of the network device. 25.A method for processing data using a multiple-identity secure device(MISD), the MISD comprising a microprocessor, a memory operativelyconnected to the microprocessor, a seed identity stored in the memory,and a transformation engine stored in the memory, the transformationengine comprising computer-readable instructions executable by saidmicroprocessor to receive the seed identity as input and to generate asoutput at least one unique identity as a function of predefined logic,the method comprising: deploying an MISD for use in an informationnetwork: transmitting via the information network a data transmissionintended for delivery to a network device, said data transmissioncomprising recipient identity data; receiving, at the MISD, the datatransmission; extracting, at the MISD, the recipient identity data fromthe data transmission; obtaining, at the MISD, a unique identity for theMISD; comparing, at the MISD, the unique identity to the recipientidentity data; discarding the data transmission, at the MISD, if theunique identity does not correspond to the recipient identity data; andprocessing the data transmission, at the MISD, if the unique identitycorresponds to the recipient identity data.
 26. The method of claim 25,wherein obtaining the unique identity for the MISD comprises running thetransformation engine to generate the unique identity as a function ofpredefined logic accessible to the transformation engine, the MISDrunning the transformation engine in response to receipt of the datatransmission at the MISD.
 27. The method of claim 26, wherein obtainingthe unique identity for the MISD comprises: determining, at the MISD, anaddressing scheme with which the recipient identity data is compliant;identifying the addressing scheme to the transformation engine of theMISD; and generating the unique identity in compliance with theaddressing scheme.
 28. The method of claim 25, wherein obtaining theunique identity for the MISD comprises: running the transformationengine to generate a plurality of unique identities as a function ofpredefined logic accessible to the transformation engine, each of theplurality of unique identities being compliant with a differentrespective one of a plurality of addressing schemes; storing theplurality of unique identities in memory of the MISD; determining, atthe MISD, an addressing scheme with which the recipient identity data iscompliant; identifying the addressing scheme to the transformationengine of the MISD; and retrieving from the memory a selected one of theplurality of unique identities that is in compliance with the addressingscheme.